OPM Breach Notification Frustrates Hacked Feds

Some victims of the massive hack expressed fear their privacy might be violated by fraud-protection services the government has outsourced to private companies.

National Journal
Aliya Sternstein, Nextgov
Add to Briefcase
See more stories about...
Aliya Sternstein, Nextgov
June 22, 2015, 6:31 a.m.

Some vic­tims of the massive hack of fed­er­al per­son­nel re­cords ex­pressed fear their pri­vacy might be vi­ol­ated by fraud-pro­tec­tion ser­vices the gov­ern­ment has out­sourced to private com­pan­ies.

As a res­ult, some say they are not en­rolling for the free pro­gram, and at least one Wash­ing­ton-area sen­at­or, cit­ing poor per­form­ance, said it may be time to ter­min­ate one com­pany’s con­tract.

The Of­fice of Per­son­nel Man­age­ment is pay­ing prime vendor Win­vale $21 mil­lion to of­fer cred­it mon­it­or­ing and oth­er safe­guards to 4.2 mil­lion former and cur­rent em­ploy­ees whose per­son­al in­form­a­tion was po­ten­tially ex­trac­ted by sus­pec­ted Chinese hack­ers.

But to ob­tain the ser­vices, fed­er­al work­ers — some of whose in­ner­most per­son­al secrets were taken in a second, re­lated breach — must hand over ad­di­tion­al con­fid­en­tial in­form­a­tion to an­oth­er com­pany, CSID, which has partnered with Win­vale. Data on people who have un­der­gone back­ground-check in­vest­ig­a­tions for sens­it­ive gov­ern­ment po­s­i­tions was en­snared in a sep­ar­ate hack of an OPM sys­tem.

Pri­vacy Policy?

One former secret-clear­ance hold­er, who asked to re­main an­onym­ous be­cause she still does busi­ness with the gov­ern­ment and be­cause of pri­vacy con­cerns, op­ted to re­gister for the ser­vices. Now, she has mis­giv­ings.

On CSID’s web­site, she was asked a series of se­cur­ity ques­tions to prove she was who she claimed to be, one of which ques­tioned wheth­er she had any stu­dent loans, the wo­man said. She says she answered no. The next day, her cell phone — which she says has nev­er re­ceived tele­market­ing calls — re­ceived three rob­ocalls ad­vising her she qual­i­fies for gov­ern­ment as­sist­ance on a stu­dent loan, said the former em­ploy­ee, who re­tired 18 months ago after 20 years of ser­vice.

“I just thought that is such a strange co­in­cid­ence that I get this call after I have had a se­cur­ity ques­tion in­volving wheth­er or not I’ve had a stu­dent loan,” she said. “And I’m not a con­spir­acy the­or­ist.”

The em­ploy­ee sent a mes­sage to OPM through the of­fi­cial CSID email ad­dress shar­ing de­tails of her ex­per­i­ences au­then­tic­at­ing her iden­tity and then re­ceiv­ing so­li­cit­a­tions re­flect­ing know­ledge of her stu­dent-loan eli­gib­il­ity. The em­ploy­ee shared the email with Nex­t­gov. In re­sponse, she re­ceived an off-top­ic form let­ter in­struct­ing her how to sign up for cred­it mon­it­or­ing, also shared with Nex­t­gov.

OPM of­fi­cials say they have been in con­tact with CSID about a vague com­plaint along these lines and told the com­pany that vic­tims’ data must not be used for oth­er of­fer­ings.

“The is­sue was im­me­di­ately ad­dressed with the com­pany to en­sure a com­mon un­der­stand­ing of the gov­ern­ment’s po­s­i­tion that OPM cus­tom­ers would not be so­li­cited to buy oth­er ser­vices as part of the en­roll­ment pro­cess,” OPM spokes­man Sam Schu­mach said.

However, after the free-sub­scrip­tion peri­od is over, CSID is al­lowed to “ap­proach in­di­vidu­als re­gard­ing their de­sire to ex­tend ser­vices,” he said.

CSID of­fi­cials said the com­pany’s ser­vices would not have triggered any tele­market­ing.

“Any calls from so­li­cit­ors en­rollees re­ceived was simply a co­in­cid­ence,” CSID spokes­man Patrick Hill­mann said. “CSID has nev­er, nor ever will, sell or share any of our sub­scribers in­form­a­tion. That is ex­pli­citly stated in our terms and con­di­tions as well as in our pri­vacy policies.”

OPM’s deal with Win­vale states any data the gov­ern­ment provides the con­tract­or and sub­con­tract­ors like CSID must only be used for the agreed-to ID-theft pro­tec­tion ser­vices.

Straight to the Junk Folder?

Some of the em­ploy­ees re­ceiv­ing no­ti­fic­a­tions say they are not even thor­oughly con­vinced the no­ti­fic­a­tion let­ters are le­git­im­ate gov­ern­ment com­mu­nic­a­tions.

The no­ti­fic­a­tions carry the let­ter­head of CSID, ac­com­pan­ied by a small OPM in­signia, and dir­ect em­ploy­ees to a dot-com com­mer­cial web­site for en­roll­ment. A ma­jor­ity of the alerts are be­ing sent by email from a csid.com ad­dress.

The former clear­ance-hold­er, who re­ceived an emailed no­tice last week, said her re­ac­tion was: “Is this a le­git­im­ate email I re­ceived from OPM? Or was this part of the hack? So now I’ve gone out and answered se­cur­ity ques­tions to who?”

OPM of­fi­cials de­clined to com­ment on wheth­er they could sup­ply CSID with a val­id dot-gov email ad­dress and a val­id dot-gov web­site to as­sist with no­ti­fic­a­tion.

“Frankly, it went in­to my junk mail,” the former em­ploy­ee said. “It just so happened I was clean­ing my junk mail and went, ‘Wait a minute, this is from OPM — or it says so.’”

‘Wait­ing for Oth­ers to be the Guinea Pigs’

Some cur­rent fed­er­al per­son­nel say they will pass on the free op­por­tun­ity or wait un­til they hear pos­it­ive feed­back from col­leagues be­fore re­gis­ter­ing.

By press time, OPM and CSID of­fi­cials were not able to provide es­tim­ates of the num­ber of people no­ti­fied who have en­rolled in the ID-theft pro­tec­tion pro­gram.

An In­tern­al Rev­en­ue Ser­vice staffer, who said she holds a clear­ance and was not au­thor­ized to identi­fy her­self pub­licly, said she was wary of the CSID let­ter, which was pur­portedly sent by OPM Chief In­form­a­tion Of­ficer Donna Sey­mour. Nex­t­gov has re­viewed sim­il­ar no­ti­fic­a­tions.

“Per­haps my fed­er­al ser­vice has made me cyn­ic­al, but even in re­ceipt of a let­ter signed by the Donna K. Sey­mour, CIO of OPM, I wasn’t will­ing to take it at face value, prin­cip­ally be­cause it wasn’t on OPM let­ter­head,” the IRS em­ploy­ee said. She said she is “wait­ing for oth­ers to be the guinea pigs” be­fore sign­ing up for the CSID pro­gram.

Yet an­oth­er gov­ern­ment em­ploy­ee, who did not want her name or agency pub­lished for pri­vacy reas­ons, said she will seek fraud-con­trol help from com­pan­ies she already has re­la­tion­ships with.

“I choose not to use the ID-pro­tec­tion ser­vice be­cause I do not trust yet an­oth­er con­trac­ted ser­vice pro­vider,” she said. “I am will­ing to pay for pro­tec­tion ser­vice through a reput­able com­pany at this point.”

The 30-year fed­er­al em­ploy­ee said she has “nev­er felt this in­sec­ure about my per­son­al in­form­a­tion,” es­pe­cially after learn­ing about the hack of sys­tems hold­ing data on per­son­nel who over the years have filed 127-page forms spelling out deeply per­son­al back­ground his­tor­ies on them­selves and their as­so­ci­ates.

“That means not only my in­form­a­tion, but that of my fam­ily is at risk,” she said. “This is in­ex­cus­able.”

Sen­at­or De­mands An­swers

Law­makers say they are hear­ing sim­il­ar cri­ti­cisms from cit­izens about CSID’s per­form­ance.

On Fri­day, Sen. Mark Warner, a Demo­crat from Vir­gin­ia, home to a high con­cen­tra­tion of cur­rent and former fed­er­al work­ers, raised con­cerns about CSID with OPM Dir­ect­or Kath­er­ine Archu­leta.

“My con­stitu­ents have re­por­ted that the web­site crashes fre­quently,” among oth­er tech­nic­al dif­fi­culties con­tact­ing CSID, he said in a let­ter to Archu­leta. “Many have re­por­ted re­ceiv­ing in­ac­cur­ate or out-of-date in­form­a­tion re­gard­ing their cred­it his­tory, which calls in­to ques­tion CSID’s abil­ity to ap­pro­pri­ately pro­tect them from fraud and ID theft.”

He called for the com­pany’s con­tract to be ter­min­ated if it is un­able to deal with cus­tom­ers’ needs. The award OPM is­sued sug­gests “that pro­tect­ing em­ploy­ees ex­posed by the breach is not the top pri­or­ity for OPM that it should be,” he ad­ded. “We ex­pect that OPM will act quickly to cor­rect any such im­pres­sions.”

Re­spond­ing to Warner’s as­ser­tions, CSID’s Hill­mann said provid­ing ID-mon­it­or­ing and res­tor­a­tion ser­vices to those af­fected “is what we have been fo­cus­ing on throughout this pro­cess and what we must con­tin­ue to fo­cus on in the com­ing days and weeks. It would be in­ap­pro­pri­ate to al­low ourselves to be dis­trac­ted by nor com­ment on polit­ic­al mat­ters.”

Nex­t­gov has asked OPM of­fi­cials for com­ment on Warner’s let­ter.

What We're Following See More »
Saudis Admit Khashoggi Killed in Embassy
10 hours ago

"Saudi Arabia said Saturday that Jamal Khashoggi, the dissident Saudi journalist who disappeared more than two weeks ago, had died after an argument and fistfight with unidentified men inside the Saudi Consulate in Istanbul. Eighteen men have been arrested and are being investigated in the case, Saudi state-run media reported without identifying any of them. State media also reported that Maj. Gen. Ahmed al-Assiri, the deputy director of Saudi intelligence, and other high-ranking intelligence officials had been dismissed."

Mueller Looking into Ties Between WikiLeaks, Conservative Groups
10 hours ago

"Special counsel Robert Mueller’s investigation is scrutinizing how a collection of activists and pundits intersected with WikiLeaks, the website that U.S. officials say was the primary conduit for publishing materials stolen by Russia, according to people familiar with the matter. Mr. Mueller’s team has recently questioned witnesses about the activities of longtime Trump confidante Roger Stone, including his contacts with WikiLeaks, and has obtained telephone records, according to the people familiar with the matter."

Mueller To Release Key Findings After Midterms
10 hours ago

"Special Counsel Robert Mueller is expected to issue findings on core aspects of his Russia probe soon after the November midterm elections ... Specifically, Mueller is close to rendering judgment on two of the most explosive aspects of his inquiry: whether there were clear incidents of collusion between Russia and Donald Trump’s 2016 campaign, and whether the president took any actions that constitute obstruction of justice." Mueller has faced pressure to wrap up the investigation from Deputy Attorney General Rod Rosenstein, said an official, who would receive the results of the investigation and have "some discretion in deciding what is relayed to Congress and what is publicly released," if he remains at his post.

FinCen Official Charged with Leaking Info on Manafort, Gates
10 hours ago
"A senior official working for the Treasury Department's Financial Crimes Enforcement Network (FinCEN) has been charged with leaking confidential financial reports on former Trump campaign advisers Paul Manafort, Richard Gates and others to a media outlet. Prosecutors say that Natalie Mayflower Sours Edwards, a senior adviser to FinCEN, photographed what are called suspicious activity reports, or SARs, and other sensitive government files and sent them to an unnamed reporter, in violation of U.S. law."
DOJ Charges Russian For Meddling In 2018 Midterms
10 hours ago

"The Justice Department on Friday charged a Russian woman for her alleged role in a conspiracy to interfere with the 2018 U.S. election, marking the first criminal case prosecutors have brought against a foreign national for interfering in the upcoming midterms. Elena Khusyaynova, 44, was charged with conspiracy to defraud the United States. Prosecutors said she managed the finances of 'Project Lakhta,' a foreign influence operation they said was designed 'to sow discord in the U.S. political system' by pushing arguments and misinformation online about a host of divisive political issues, including immigration, the Confederate flag, gun control and the National Football League national-anthem protests."


Welcome to National Journal!

You are currently accessing National Journal from IP access. Please login to access this feature. If you have any questions, please contact your Dedicated Advisor.